void CT_cbReturnSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int _stack=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
return_counter++;
if(return_counter!=2)
{
unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
free2(return_bytes);
if(!retn)
{
CT_FatalError("Could not find return");
return;
}
SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
}
else
{
SetContextData(UE_ESP, GetContextData(UE_ESP)+4);
SetContextData(UE_EIP, _stack);
CT_cbOtherSeeds();
}
}
void CT_cbSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int ecx=GetContextData(UE_ECX);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)ecx, &(CT_cert_data->decrypt_seed[0]), 4, 0))
{
CT_FatalError(rpmerror());
return;
}
}
static void cbOnDecryptVersion()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)(esp+4), &g_version_decrypt_buffer, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
SetBPX((g_version_decrypt_call+5), UE_BREAKPOINT, (void*)cbGetVersion);
}
static void cbDecryptCall()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int retn=0;
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)esp, &retn, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
SetBPX(retn, UE_BREAKPOINT, (void*)cbReturnDecryptCall);
}
Rocket::Core::ElementDocument* RocketMenuPlugin::GetCurrentPage(Rocket::Core::Context *context) {
ContextData *cd = GetContextData(context);
if (cd != NULL) {
return cd->current_document;
}
return NULL;
}
void CT_cbTeaDecrypt()
{
unsigned int esp=GetContextData(UE_ESP);
unsigned int values[2]= {0};
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp+4), &values, 8, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char first_5_bytes[5]="";
memcpy(first_5_bytes, &values[1], 4);
first_5_bytes[4]=magic_byte_cert;
unsigned char* new_data=(unsigned char*)malloc2(values[1]);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)values[0], new_data, values[1], 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char* temp=(unsigned char*)malloc2(encrypted_cert_real_size+values[1]+5);
if(encrypted_cert_real)
{
memcpy(temp, encrypted_cert_real, encrypted_cert_real_size);
free2(encrypted_cert_real);
}
encrypted_cert_real=temp;
memcpy(encrypted_cert_real+encrypted_cert_real_size, first_5_bytes, 5);
memcpy(encrypted_cert_real+encrypted_cert_real_size+5, new_data, values[1]);
free2(new_data);
encrypted_cert_real_size+=values[1]+5;
}
// Called when a context is destroyed.
void RocketMenuPlugin::OnContextDestroy(Rocket::Core::Context* context) {
ContextData *data = GetContextData(context);
if (data != NULL) {
delete data;
SetContextData(context, NULL);
}
}
static void cbOpenMutexA()
{
char mutex_name[20]="";
long mutex_addr=0;
long esp_addr=0;
unsigned int return_addr=0;
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)esp_addr, &return_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)(esp_addr+12), &mutex_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
CreateMutexA(0, FALSE, mutex_name);
if(GetLastError()==ERROR_SUCCESS)
SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)cbVirtualProtect);
else
{
char log_message[256]="";
sprintf(log_message, "[Fail] Failed to create mutex %s", mutex_name);
VF_FatalError(log_message, g_ErrorMessageCallback);
}
}
void CT_cbGetOtherSeed()
{
unsigned int eip=GetContextData(UE_EIP);
DeleteBPX(eip);
unsigned char reg_byte=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(eip+1), ®_byte, 1, 0))
{
CT_FatalError(rpmerror());
return;
}
CT_cert_data->decrypt_addvals[other_seed_counter]=GetContextData(CT_DetermineRegisterFromByte(reg_byte));
other_seed_counter++;
if(other_seed_counter==4)
{
other_seed_counter=0;
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
}
void EV_cbEndLog()
{
unsigned int esp_addr=(long)GetContextData(UE_ESP)+4;
unsigned int return_eip=0;
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)esp_addr, &return_eip, 4, 0);
if(GetPE32SectionNumberFromVA(EV_va, return_eip)!=-1)
{
StopDebug();
}
}
/**********************************************************************
* Functions
*********************************************************************/
static void cbGetVersion()
{
DeleteBPX(GetContextData(UE_EIP));
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)g_version_decrypt_buffer, g_szVersion, 10, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
StopDebug();
}
void CT_cbOtherSeeds()
{
puts("cbOtherSeeds");
unsigned int eip=GetContextData(UE_EIP);
unsigned char* eip_data=(unsigned char*)malloc2(0x10000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)eip, eip_data, 0x10000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int stdcall=CT_FindStdcallPattern(eip_data, 0x10000);
if(!stdcall)
{
stdcall=CT_FindCall2Pattern(eip_data, 0x10000);
if(!stdcall)
{
CT_FatalError("Could not find call pattern...");
return;
}
}
eip_data+=stdcall;
unsigned int size=0x10000-stdcall;
unsigned int retn=size=CT_FindReturnPattern(eip_data, size);
if(!retn)
{
CT_FatalError("Could not find RET");
return;
}
unsigned int and_addrs[4]= {0};
for(int i=0; i<4; i++)
{
and_addrs[i]=CT_FindAndPattern2(eip_data, size);
if(!and_addrs[i])
and_addrs[i]=CT_FindAndPattern1(eip_data, size);
if(!and_addrs[i])
{
CT_FatalError("Could not find AND [REG],[VAL]");
return;
}
size-=and_addrs[i];
eip_data+=and_addrs[i];
if(i)
and_addrs[i]+=and_addrs[i-1];
}
CT_SortArray(and_addrs, 4);
other_seed_counter=0;
for(int i=0; i<4; i++)
SetBPX(and_addrs[i]+eip+stdcall, UE_BREAKPOINT, (void*)CT_cbGetOtherSeed);
free2(eip_data);
}
static void cbDw()
{
unsigned int eip=GetContextData(UE_EIP);
DeleteBPX(eip);
BYTE* eip_data=(BYTE*)malloc2(0x1000);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)eip, eip_data, 0x1000, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int and20=VF_FindAnd20Pattern(eip_data, 0x1000);
unsigned int minusreg=0;
if(!and20)
{
and20=VF_FindShrPattern(eip_data, 0x1000);
if(!and20)
{
VF_FatalError("Could not find 'and [reg],20", g_ErrorMessageCallback);
return;
}
minusreg=8;
}
unsigned int andreg=eip_data[and20+1]&0x0F;
andreg-=minusreg;
g_extra_options_reg=0xFFFFFFFF;
switch(andreg)
{
case 0:
g_extra_options_reg=UE_EAX;
break;
case 1:
g_extra_options_reg=UE_ECX;
break;
case 2:
g_extra_options_reg=UE_EDX;
break;
case 3:
g_extra_options_reg=UE_EBX;
break;
case 5:
g_extra_options_reg=UE_EBP;
break;
case 6:
g_extra_options_reg=UE_ESI;
break;
case 7:
g_extra_options_reg=UE_EDI;
break;
}
if(g_extra_options_reg==0xFFFFFFFF)
VF_FatalError("Could not determine the register (extradw)", g_ErrorMessageCallback);
free2(eip_data);
SetBPX(and20+eip, UE_BREAKPOINT, (void*)cbDwordRetrieve);
}
// Update state and send info to client: eip module's base address, offset, name
HRESULT
UpdateState()
{
bool bRes = FALSE;
HRESULT hRes = E_FAIL;
DWORD dwRes = 0;
ULONG64 PrevBase = g_Base;
ULONG NameSize = 0;
HANDLE hProcess;
g_Offset = GetContextData(UE_CIP);
bRes = DbgGetModuleAt((duint)g_Offset, g_NameBuffer);
if (!bRes)
{
_plugin_logprintf("[sync] UpdateState: no module at %p...\n", g_Offset);
return hRes;
}
g_Base = DbgModBaseFromName(g_NameBuffer);
if (!g_Base)
{
_plugin_logputs("[sync] UpdateState: could not get module base...");
return hRes;
}
// Check if we are in a new module
if ((g_Base != PrevBase) & g_SyncAuto)
{
hProcess = ((PROCESS_INFORMATION*)TitanGetProcessInformation())->hProcess;
dwRes = GetModuleBaseNameA(hProcess, (HMODULE)g_Base, g_NameBuffer, MAX_MODULE_SIZE);
if (dwRes==0)
{
_plugin_logputs("[sync] could not get module base name...");
return hRes;
}
#if VERBOSE >= 2
_plugin_logprintf("[sync] UpdateState: module : \"%s\"\n", g_NameBuffer);
#endif
hRes = TunnelSend("[notice]{\"type\":\"module\",\"path\":\"%s\"}\n", g_NameBuffer);
if (FAILED(hRes)){
return hRes;
}
}
hRes = TunnelSend("[sync]{\"type\":\"loc\",\"base\":%llu,\"offset\":%llu}\n", g_Base, g_Offset);
return hRes;
}
void RocketMenuPlugin::SetPreviousItemValue(Rocket::Core::Context *context) {
ContextData *cd = GetContextData(context);
if (cd != NULL) {
Rocket::Core::ElementDocument *doc = cd->current_document;
if (doc != NULL) {
DocumentData *dd = GetDocumentData(doc);
if (dd != NULL) {
SetPreviousItemValue(dd->active_item);
}
}
}
}
void GenericOEPTraceHit()
{
char* szInstructionType;
typedef void(TITCALL * fEPCallBack)();
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
glbEntryTracerData.MemoryAccessedFrom = (ULONG_PTR)GetContextData(UE_CIP);
glbEntryTracerData.MemoryAccessed = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[1];
glbEntryTracerData.AccessType = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[0];
szInstructionType = (char*)DisassembleEx(dbgProcessInformation.hProcess, (void*)glbEntryTracerData.MemoryAccessedFrom, true);
StepInto(&GenericOEPTraceHited);
}
void RocketMenuPlugin::HighlightPreviousItem(Rocket::Core::Context *context, const Rocket::Core::String& docId) {
Rocket::Core::ElementDocument *doc = NULL;
if (docId == "") {
ContextData *cd = GetContextData(context);
doc = cd->current_document;
} else {
doc = context->GetDocument(docId);
}
if (doc != NULL) {
HighlightPreviousItem(doc);
} else {
printf("[ROCK] RocketMenuPlugin::HighlightPreviousItem: document not found: %s\n", docId.CString());
}
}
void EV_cbVirtualProtect()
{
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
BYTE* header_code=(BYTE*)malloc2(0x1000);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (void*)(sec_addr-0x1000), header_code, 0x1000, 0);
if(*(unsigned short*)header_code != 0x5A4D) //not a PE file
{
free2(header_code);
return;
}
free2(header_code);
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
sec_data=(BYTE*)malloc2(sec_size);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
unsigned int SetEnvA=0,SetEnvW=0;
SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
}
}
//SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvW);
SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
}
}
//SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvA);
}
void RocketMenuPlugin::DoItemAction(ItemAction action, Rocket::Core::Context *context, const Rocket::Core::String& id) {
ContextData *cd = GetContextData(context);
if (cd->current_document != NULL) {
DocumentData *dd = GetDocumentData(cd->current_document);
Rocket::Core::Element *e = NULL;
if (id != "") {
e = cd->current_document->GetElementById(id);
} else if (dd != NULL) {
e = dd->active_item;
}
if (e != NULL) {
DoItemAction(action, e);
}
}
}
void CT_cbMagicValue()
{
DeleteHardwareBreakPoint(UE_DR1);
unsigned int retrieve_addr=GetContextData(UE_EBP)-magic_ebp_sub-4;
unsigned int magic_values[2]= {0};
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retrieve_addr, magic_values, 8, 0))
{
CT_FatalError(rpmerror());
return;
}
CT_cert_data->magic1=magic_values[0];
CT_cert_data->magic2=magic_values[1];
if(end_big_loop)
SetBPX(magic_byte, UE_BREAKPOINT, (void*)CT_cbMagicJump);
else
CT_RetrieveSaltValue();
}
bool RocketMenuPlugin::GoBack(Rocket::Core::Context *context, bool notify_delegate) {
ContextData *cd = GetContextData(context);
if (cd->current_document != NULL) {
Rocket::Core::Variant *attr = cd->current_document->GetAttribute("parent");
if (attr != NULL) {
Rocket::Core::String menu_id = attr->Get<Rocket::Core::String>();
if (cd->current_document->HasAttribute("closecmd") && notify_delegate) {
Rocket::Core::String closecmd;
cd->current_document->GetAttribute("closecmd")->GetInto(closecmd);
cd->current_document->RemoveAttribute("closecmd");
m_delegate->DoCommand(cd->current_document, closecmd);
cd->current_document->SetAttribute("closecmd", closecmd);
}
ShowDocument(context, menu_id, false);
return true;
}
}
return false;
}
void RocketMenuPlugin::ShowDocument(Rocket::Core::Context* context, const Rocket::Core::String& id, bool backlink) {
ContextData *cd = GetContextData(context);
Rocket::Core::ElementDocument *new_doc = context->GetDocument(id);
if (new_doc != NULL) {
if (new_doc != cd->current_document) {
if (cd->current_document != NULL) {
if (cd->current_document->IsVisible()) {
cd->current_document->Hide();
if (m_delegate) {
m_delegate->DidCloseMenuPage(cd->current_document);
}
}
if (backlink) {
new_doc->SetAttribute("parent", cd->current_document->GetId());
}
}
cd->current_document = new_doc;
DocumentData *dd = GetDocumentData(cd->current_document);
if (cd->current_document->HasAttribute("default-item")) {
Rocket::Core::String def;
cd->current_document->GetAttribute("default-item")->GetInto(def);
if (dd->menu != NULL) {
HighlightItem(cd->current_document->GetElementById(def));
}
} else {
if (dd->active_item == NULL) {
if (dd->menu != NULL) {
HighlightItem(dd->menu->GetChild(0));
}
}
}
if (!cd->current_document->IsVisible()) {
cd->current_document->Show();
if (m_delegate) {
m_delegate->DidOpenMenuPage(cd->current_document);
}
}
}
} else {
printf("[ROCK] unable to show document with id: %s\n", id.CString());
}
}
void CT_cbMagicJump()
{
if(!patched_magic_jump)
{
BYTE eb[2]= {0xEB,0x90};
WriteProcessMemory(fdProcessInfo->hProcess, (void*)(magic_byte+2), &eb, 1, 0); //patch JNZ->JMP
eb[0]=0x90;
WriteProcessMemory(fdProcessInfo->hProcess, (void*)noteax, &eb, 2, 0);
SetBPX(tea_decrypt, UE_BREAKPOINT, (void*)CT_cbTeaDecrypt);
SetBPX(end_big_loop, UE_BREAKPOINT, (void*)CT_cbEndBigLoop);
DISASM MyDisasm= {0};
MyDisasm.EIP=(UIntPtr)&cmp_data;
Disasm(&MyDisasm);
char register_retrieve[10]="";
strncpy(register_retrieve, MyDisasm.Argument2.ArgMnemonic, 3);
patched_magic_jump=true;
register_magic_byte=DetermineRegisterFromText(register_retrieve);
}
magic_byte_cert=(unsigned char)GetContextData(register_magic_byte);
}
void EV_cbSetEnvA()
{
if(!EV_bpvp_set) //Set VirtualProtect breakpoint
{
SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)EV_cbEndLog);
EV_bpvp_set=true;
}
char env_name[256]="", env_valu[256]="";
long text_addr=0;
long esp_addr=(long)GetContextData(UE_ESP);
text_addr=0;
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)(esp_addr+4), &text_addr, 4, 0);
if(text_addr)
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)text_addr, &env_name, 256, 0);
text_addr=0;
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)(esp_addr+8), &text_addr, 4, 0);
if(text_addr)
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)text_addr, &env_valu, 256, 0);
EV_log_var_valA(env_name, env_valu);
}
void EV_cbOpenMutexA()
{
char mutex_name[20]="";
long mutex_addr=0;
long esp_addr=0;
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
esp_addr=(long)GetContextData(UE_ESP)+12;
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)esp_addr, &mutex_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0);
CreateMutexA(0, FALSE, mutex_name);
if(GetLastError()==ERROR_SUCCESS)
{
SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)EV_cbVirtualProtect);
}
else
{
char EV_log_message[256]="";
sprintf(EV_log_message, "[Fail] Failed to create mutex %s", mutex_name);
EV_FatalError(EV_log_message);
}
}
void IH_cbOpenMutexA() //Callback for OpenMutexA
{
char mutex_name[20]="";
long mutex_addr=0;
long esp_addr=0;
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
esp_addr=(long)GetContextData(UE_ESP)+12;
ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)esp_addr, &mutex_addr, 4, 0);
ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0);
CreateMutexA(0, FALSE, mutex_name);
if(GetLastError()==ERROR_SUCCESS)
{
SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)IH_cbVirtualProtect);
}
else
{
char log_message[50]="";
wsprintfA(log_message, "Failed to create mutex %s", mutex_name);
g_ErrorMessageCallback((char*)log_message, (char*)"Error!");
}
}
void IH_cbVirtualProtect() // Callback for VirtualProtect
{
char szSecurityAddrRegister[4]=""; //Register that contains a pointer to security.dll
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
SetAPIBreakPoint((char*)"kernel32.dll", (char*)"OutputDebugStringA", UE_BREAKPOINT, UE_APISTART, (void*)IH_cbOutputDebugStringA);
unsigned int security_addr=0,esp_addr=0,code_size=0;
esp_addr=(unsigned int)GetContextData(UE_ESP);
ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)(esp_addr+4), &security_addr, 4, 0);
ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)(esp_addr+8), &code_size, 4, 0);
DumpMemory(IH_fdProcessInfo->hProcess, (void*)security_addr, code_size, (char*)"security_code.mem");
if(GetContextData(UE_EAX)==security_addr)
strcpy(szSecurityAddrRegister, "EAX");
else if(GetContextData(UE_ECX)==security_addr)
strcpy(szSecurityAddrRegister, "ECX");
else if(GetContextData(UE_EDX)==security_addr)
strcpy(szSecurityAddrRegister, "EDX");
else if(GetContextData(UE_EBX)==security_addr)
strcpy(szSecurityAddrRegister, "EBX");
else if(GetContextData(UE_ESI)==security_addr)
strcpy(szSecurityAddrRegister, "ESI");
else if(GetContextData(UE_EDI)==security_addr)
strcpy(szSecurityAddrRegister, "EDI");
else
{
g_ErrorMessageCallback((char*)"There was an error recovering the correct register.\n\nThe program will quit now!", (char*)"Error!");
ExitProcess(1);
}
g_PtrTargetData->CodeSize=code_size;
strcpy(g_PtrTargetData->SecurityAddrRegister, szSecurityAddrRegister);
}
void EV_cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
sec_data=(BYTE*)malloc2(sec_size);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
unsigned int SetEnvA=0,SetEnvW=0;
SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
}
static void cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
sec_addr-=0x1000;
VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
sec_size=mbi.RegionSize;
sec_data=(BYTE*)malloc2(sec_size);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size);
if(usbdevice)
{
usbdevice+=sec_addr;
unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice);
if(!usb_push)
VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback);
unsigned int invalidkey=0;
for(int i=usb_push; i>0; i--)
{
if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8)
//if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68)
{
invalidkey=i;
break;
}
}
if(!invalidkey)
VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback);
unsigned int extradw_call=0;
unsigned int dw_extracall=0;
DISASM MyDisasm;
memset(&MyDisasm, 0, sizeof(DISASM));
MyDisasm.EIP=(UIntPtr)sec_data+invalidkey;
int len=0;
int call_count=0;
for(;;)
{
len=Disasm(&MyDisasm);
if(len!=UNKNOWN_OPCODE)
{
if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4))
call_count++;
if(call_count==2)
break;
MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len;
if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed)
break;
}
else
break;
}
extradw_call=MyDisasm.EIP-((unsigned int)sec_data);
memcpy(&dw_extracall, sec_data+extradw_call+1, 4);
unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5;
SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw);
}
else
{
/**********************************************************************
* Functions
*********************************************************************/
static void cbDwordRetrieve()
{
DeleteBPX(GetContextData(UE_EIP));
*gPtrExtraOptions=GetContextData(g_extra_options_reg);
StopDebug();
}